Add JWT-based task authentication using ed25519 keys

This commit implements JWT-based authentication for gRPC APIs:

- Added JWT service using persistent ed25519 keys for signing
- Updated protobufs to include JWT fields in:
  - Task (returned from ClaimTasks)
  - ReportTaskOutputRequest
  - FetchAssetRequest
  - ReportCredentialRequest
  - ReportFileRequest
- Updated ClaimTasks to generate JWTs for each claimed task
- Added JWT validation to gRPC APIs:
  - ReportTaskOutput
  - FetchAsset
  - ReportCredential
  - ReportFile
- Invalid JWTs are logged with task ID and JWT token as warnings

The ed25519 keys are stored persistently in the secrets manager,
separate from the x25519 keys used for encryption.

Author: claude

implants/lib/pb/src/generated/c2.rs

@@ -34,6 +34,7 @@ import (
 	"realm.pub/tavern/internal/graphql"
 	tavernhttp "realm.pub/tavern/internal/http"
 	"realm.pub/tavern/internal/http/stream"
+	"realm.pub/tavern/internal/jwt"
 	"realm.pub/tavern/internal/portals"
 	"realm.pub/tavern/internal/portals/mux"
 	"realm.pub/tavern/internal/redirectors"
@@ -530,7 +531,14 @@ func newGRPCHandler(client *ent.Client, grpcShellMux *stream.Mux, portalMux *mux
 	}
 	slog.Info(fmt.Sprintf("public key: %s", base64.StdEncoding.EncodeToString(pub.Bytes())))
 
-	c2srv := c2.New(client, grpcShellMux, portalMux)
+	// Initialize JWT service
+	jwtService, err := jwt.NewService()
+	if err != nil {
+		slog.Error("failed to initialize JWT service", "err", err)
+		panic(err)
+	}
+
+	c2srv := c2.New(client, grpcShellMux, portalMux, jwtService)
 	xchacha := cryptocodec.StreamDecryptCodec{
 		Csvc: cryptocodec.NewCryptoSvc(priv),
 	}

tavern/app.go

@@ -400,9 +400,19 @@ func (srv *Server) ClaimTasks(ctx context.Context, req *c2pb.ClaimTasksRequest)
 		for _, a := range claimedAssets {
 			claimedAssetNames = append(claimedAssetNames, a.Name)
 		}
+
+		// Generate JWT for this task
+		taskJWT, err := srv.jwtService.GenerateTaskToken(int64(claimedTask.ID), req.Beacon.Identifier)
+		if err != nil {
+			slog.ErrorContext(ctx, "failed to generate JWT for task", "task_id", claimedTask.ID, "err", err)
+			// Continue without JWT - this is not critical for task execution
+			taskJWT = ""
+		}
+
 		resp.Tasks = append(resp.Tasks, &c2pb.Task{
 			Id:        int64(claimedTask.ID),
 			QuestName: claimedQuest.Name,
+			Jwt:       taskJWT,
 			Tome: &epb.Tome{
 				Eldritch:   claimedTome.Eldritch,
 				Parameters: params,

tavern/internal/c2/api_claim_tasks.go

@@ -15,6 +15,13 @@ import (
 func (srv *Server) FetchAsset(req *c2pb.FetchAssetRequest, stream c2pb.C2_FetchAssetServer) error {
 	ctx := stream.Context()
 
+	// Validate JWT
+	taskID := srv.validateJWT(ctx, req.Jwt)
+	if taskID == -1 {
+		// JWT validation failed, but we'll continue (warning already logged)
+		// Note: task_id is not used for asset fetching, but we validate the JWT anyway
+	}
+
 	// Load Asset
 	name := req.GetName()
 	a, err := srv.graph.Asset.Query().

tavern/internal/c2/api_fetch_asset.go

@@ -18,6 +18,9 @@ func (srv *Server) ReportCredential(ctx context.Context, req *c2pb.ReportCredent
 		return nil, status.Errorf(codes.InvalidArgument, "must provide credential")
 	}
 
+	// Validate JWT
+	srv.validateTaskJWT(ctx, req.Jwt, req.TaskId)
+
 	// Load Task
 	task, err := srv.graph.Task.Get(ctx, int(req.TaskId))
 	if ent.IsNotFound(err) {

tavern/internal/c2/api_report_credential.go

@@ -21,6 +21,7 @@ func (srv *Server) ReportFile(stream c2pb.C2_ReportFileServer) error {
 		permissions string
 		size        uint64
 		hash        string
+		jwtToken    string
 
 		content []byte
 	)
@@ -42,6 +43,9 @@ func (srv *Server) ReportFile(stream c2pb.C2_ReportFileServer) error {
 		if taskID == 0 {
 			taskID = req.GetTaskId()
 		}
+		if jwtToken == "" {
+			jwtToken = req.GetJwt()
+		}
 		if path == "" && req.Chunk.Metadata != nil {
 			path = req.Chunk.Metadata.GetPath()
 		}
@@ -71,6 +75,9 @@ func (srv *Server) ReportFile(stream c2pb.C2_ReportFileServer) error {
 		return status.Errorf(codes.InvalidArgument, "must provide valid path")
 	}
 
+	// Validate JWT
+	srv.validateTaskJWT(stream.Context(), jwtToken, taskID)
+
 	// Load Task
 	task, err := srv.graph.Task.Get(stream.Context(), int(taskID))
 	if ent.IsNotFound(err) {

tavern/internal/c2/api_report_file.go

@@ -17,6 +17,9 @@ func (srv *Server) ReportTaskOutput(ctx context.Context, req *c2pb.ReportTaskOut
 		return nil, status.Errorf(codes.InvalidArgument, "must provide task id")
 	}
 
+	// Validate JWT
+	srv.validateTaskJWT(ctx, req.Jwt, req.Output.Id)
+
 	// Parse Input
 	var (
 		execStartedAt  *time.Time